5990b70841f0acf830b1b603891ecbb2cf25665ce299a057d2b166a117d5a5bd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe
Size

197KB
MD5

ab879f5f21873982a325113e4933a199
SHA1

369ef936df485ef029f57d25c58e9b3efe9888c0
SHA256

5990b70841f0acf830b1b603891ecbb2cf25665ce299a057d2b166a117d5a5bd
SHA512

aa36a35aa6121982f07e65fd98e76ae769c9289ae164a18b66b45aa233f5bfa826ef91b29aee54f2562041ad899f59a648d79411b38841ec656eeed519f2967c
SSDEEP

3072:jEGh0oml+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMQ:jEGIlEeKcAEca

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233fa-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023403-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000700000002340c-10.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0009000000023403-14.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000800000002340a-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000600000002296d-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000a00000002335d-27.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023417-31.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002335d-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023417-39.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000d00000002335d-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000c00000002335b-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DA9F6CE-65F3-4832-9216-9894D0C275BC}\stubpath = "C:\\Windows\\{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe"	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AF5188-52FB-4457-8D8C-67DFE06F9764}\stubpath = "C:\\Windows\\{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe"	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E344C4-1B57-4b0a-AADB-CA864D6A8512}	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E55B9043-921C-4305-842C-AF29B6C9F826}	{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}\stubpath = "C:\\Windows\\{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe"	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4AF5188-52FB-4457-8D8C-67DFE06F9764}	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E344C4-1B57-4b0a-AADB-CA864D6A8512}\stubpath = "C:\\Windows\\{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe"	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9748195-9570-40fa-948E-0C094533AAF1}\stubpath = "C:\\Windows\\{A9748195-9570-40fa-948E-0C094533AAF1}.exe"	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC6D584-4EC1-4901-82BF-12966FB07236}	{A9748195-9570-40fa-948E-0C094533AAF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AC6D584-4EC1-4901-82BF-12966FB07236}\stubpath = "C:\\Windows\\{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe"	{A9748195-9570-40fa-948E-0C094533AAF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{972AEDEA-3223-4c49-A6E8-D1D7E7988648}	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF7C5490-9BF1-4735-B683-9CEA2470877C}\stubpath = "C:\\Windows\\{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe"	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{972AEDEA-3223-4c49-A6E8-D1D7E7988648}\stubpath = "C:\\Windows\\{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe"	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E55B9043-921C-4305-842C-AF29B6C9F826}\stubpath = "C:\\Windows\\{E55B9043-921C-4305-842C-AF29B6C9F826}.exe"	{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA8E616-0298-4f5d-9E4E-36D377828ED8}\stubpath = "C:\\Windows\\{3FA8E616-0298-4f5d-9E4E-36D377828ED8}.exe"	{E55B9043-921C-4305-842C-AF29B6C9F826}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF7C5490-9BF1-4735-B683-9CEA2470877C}	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}\stubpath = "C:\\Windows\\{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe"	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DA9F6CE-65F3-4832-9216-9894D0C275BC}	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}\stubpath = "C:\\Windows\\{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe"	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9748195-9570-40fa-948E-0C094533AAF1}	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA8E616-0298-4f5d-9E4E-36D377828ED8}	{E55B9043-921C-4305-842C-AF29B6C9F826}.exe

Executes dropped EXE 12 IoCs

pid	Process
4980	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe
544	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe
1468	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe
8	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe
4304	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe
2008	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe
2112	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe
3596	{A9748195-9570-40fa-948E-0C094533AAF1}.exe
2916	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe
2748	{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe
2964	{E55B9043-921C-4305-842C-AF29B6C9F826}.exe
3948	{3FA8E616-0298-4f5d-9E4E-36D377828ED8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe
File created	C:\Windows\{A9748195-9570-40fa-948E-0C094533AAF1}.exe	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe
File created	C:\Windows\{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe
File created	C:\Windows\{3FA8E616-0298-4f5d-9E4E-36D377828ED8}.exe	{E55B9043-921C-4305-842C-AF29B6C9F826}.exe
File created	C:\Windows\{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe
File created	C:\Windows\{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe
File created	C:\Windows\{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe
File created	C:\Windows\{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe	{A9748195-9570-40fa-948E-0C094533AAF1}.exe
File created	C:\Windows\{E55B9043-921C-4305-842C-AF29B6C9F826}.exe	{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe
File created	C:\Windows\{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe
File created	C:\Windows\{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe
File created	C:\Windows\{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5036	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe
Token: SeIncBasePriorityPrivilege	4980	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe
Token: SeIncBasePriorityPrivilege	544	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe
Token: SeIncBasePriorityPrivilege	1468	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe
Token: SeIncBasePriorityPrivilege	8	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe
Token: SeIncBasePriorityPrivilege	4304	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe
Token: SeIncBasePriorityPrivilege	2008	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe
Token: SeIncBasePriorityPrivilege	2112	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe
Token: SeIncBasePriorityPrivilege	3596	{A9748195-9570-40fa-948E-0C094533AAF1}.exe
Token: SeIncBasePriorityPrivilege	2916	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe
Token: SeIncBasePriorityPrivilege	2748	{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe
Token: SeIncBasePriorityPrivilege	2964	{E55B9043-921C-4305-842C-AF29B6C9F826}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4980	5036	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe	95
PID 5036 wrote to memory of 4980	5036	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe	95
PID 5036 wrote to memory of 4980	5036	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe	95
PID 5036 wrote to memory of 2308	5036	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe	96
PID 5036 wrote to memory of 2308	5036	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe	96
PID 5036 wrote to memory of 2308	5036	2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe	96
PID 4980 wrote to memory of 544	4980	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe	99
PID 4980 wrote to memory of 544	4980	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe	99
PID 4980 wrote to memory of 544	4980	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe	99
PID 4980 wrote to memory of 3948	4980	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe	100
PID 4980 wrote to memory of 3948	4980	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe	100
PID 4980 wrote to memory of 3948	4980	{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe	100
PID 544 wrote to memory of 1468	544	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe	103
PID 544 wrote to memory of 1468	544	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe	103
PID 544 wrote to memory of 1468	544	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe	103
PID 544 wrote to memory of 4624	544	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe	104
PID 544 wrote to memory of 4624	544	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe	104
PID 544 wrote to memory of 4624	544	{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe	104
PID 1468 wrote to memory of 8	1468	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe	105
PID 1468 wrote to memory of 8	1468	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe	105
PID 1468 wrote to memory of 8	1468	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe	105
PID 1468 wrote to memory of 4644	1468	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe	106
PID 1468 wrote to memory of 4644	1468	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe	106
PID 1468 wrote to memory of 4644	1468	{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe	106
PID 8 wrote to memory of 4304	8	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe	107
PID 8 wrote to memory of 4304	8	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe	107
PID 8 wrote to memory of 4304	8	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe	107
PID 8 wrote to memory of 2892	8	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe	108
PID 8 wrote to memory of 2892	8	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe	108
PID 8 wrote to memory of 2892	8	{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe	108
PID 4304 wrote to memory of 2008	4304	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe	116
PID 4304 wrote to memory of 2008	4304	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe	116
PID 4304 wrote to memory of 2008	4304	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe	116
PID 4304 wrote to memory of 3692	4304	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe	117
PID 4304 wrote to memory of 3692	4304	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe	117
PID 4304 wrote to memory of 3692	4304	{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe	117
PID 2008 wrote to memory of 2112	2008	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe	118
PID 2008 wrote to memory of 2112	2008	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe	118
PID 2008 wrote to memory of 2112	2008	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe	118
PID 2008 wrote to memory of 3228	2008	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe	119
PID 2008 wrote to memory of 3228	2008	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe	119
PID 2008 wrote to memory of 3228	2008	{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe	119
PID 2112 wrote to memory of 3596	2112	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe	124
PID 2112 wrote to memory of 3596	2112	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe	124
PID 2112 wrote to memory of 3596	2112	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe	124
PID 2112 wrote to memory of 4764	2112	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe	125
PID 2112 wrote to memory of 4764	2112	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe	125
PID 2112 wrote to memory of 4764	2112	{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe	125
PID 3596 wrote to memory of 2916	3596	{A9748195-9570-40fa-948E-0C094533AAF1}.exe	126
PID 3596 wrote to memory of 2916	3596	{A9748195-9570-40fa-948E-0C094533AAF1}.exe	126
PID 3596 wrote to memory of 2916	3596	{A9748195-9570-40fa-948E-0C094533AAF1}.exe	126
PID 3596 wrote to memory of 3588	3596	{A9748195-9570-40fa-948E-0C094533AAF1}.exe	127
PID 3596 wrote to memory of 3588	3596	{A9748195-9570-40fa-948E-0C094533AAF1}.exe	127
PID 3596 wrote to memory of 3588	3596	{A9748195-9570-40fa-948E-0C094533AAF1}.exe	127
PID 2916 wrote to memory of 2748	2916	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe	128
PID 2916 wrote to memory of 2748	2916	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe	128
PID 2916 wrote to memory of 2748	2916	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe	128
PID 2916 wrote to memory of 1704	2916	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe	129
PID 2916 wrote to memory of 1704	2916	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe	129
PID 2916 wrote to memory of 1704	2916	{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe	129
PID 2748 wrote to memory of 2964	2748	{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe	130
PID 2748 wrote to memory of 2964	2748	{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe	130
PID 2748 wrote to memory of 2964	2748	{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe	130
PID 2748 wrote to memory of 4640	2748	{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe	131

C:\Users\Admin\AppData\Local\Temp\2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-24_ab879f5f21873982a325113e4933a199_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe
  C:\Windows\{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe
    C:\Windows\{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe
      C:\Windows\{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe
        
        C:\Windows\{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe
        
        C:\Windows\{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe
        
        C:\Windows\{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe
        
        C:\Windows\{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\{A9748195-9570-40fa-948E-0C094533AAF1}.exe
        
        C:\Windows\{A9748195-9570-40fa-948E-0C094533AAF1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe
        
        C:\Windows\{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe
        
        C:\Windows\{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\{E55B9043-921C-4305-842C-AF29B6C9F826}.exe
        
        C:\Windows\{E55B9043-921C-4305-842C-AF29B6C9F826}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\{3FA8E616-0298-4f5d-9E4E-36D377828ED8}.exe
        
        C:\Windows\{3FA8E616-0298-4f5d-9E4E-36D377828ED8}.exe
        13⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E55B9~1.EXE > nul
        13⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{972AE~1.EXE > nul
        12⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AC6D~1.EXE > nul
        11⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9748~1.EXE > nul
        10⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07E34~1.EXE > nul
        9⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4AF5~1.EXE > nul
        8⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{144F0~1.EXE > nul
        7⤵
        
        PID:3692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1DBD~1.EXE > nul
        6⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DA9F~1.EXE > nul
        5⤵
        
        PID:4644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C38A6~1.EXE > nul
      4⤵
      PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FF7C5~1.EXE > nul
    3⤵
    PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07E344C4-1B57-4b0a-AADB-CA864D6A8512}.exe

Filesize
197KB

MD5
d2c45181a05f6ba63c0525b9410b2adc

SHA1
5034290aaf95ef67c205d2531cacee463cfa0a86

SHA256
96eb83e338c99b68f40ccb7f45df7e9ae9613853a5575274c737f2ed7808fae0

SHA512
a9a05d8276dad92d595aaa90818a6260d3d75c33bd9192c476c9f76a03619daa54e4409973f1a661e81a518c4ab159bd40e5a14bf60d607792788382bb732228

Download Submit
C:\Windows\{144F0440-2E62-46ba-97BE-B7C2CEEAC90E}.exe

Filesize
197KB

MD5
675fb33ee8058ad8661583e74f951630

SHA1
e43bbd3ffb47376a580a5c7400351760706bea53

SHA256
87472228b1202fc077e78f26f7f6d0f2b576e3d537a96c278078bc0e014aad60

SHA512
0bc10f2d7e98d8b0e11e536803cca717ee935f9e01dc3f813032336053637b3a37ef4ce727dd237726dc51a0eec8a484a6118793c355b0c62fd2ca05ecd3e1dd

Download Submit
C:\Windows\{3FA8E616-0298-4f5d-9E4E-36D377828ED8}.exe

Filesize
197KB

MD5
cc9757f90d68092f978ec984e28bbb7e

SHA1
7c4ac9eb36c4aeadafda400e245a8768866bc0ab

SHA256
452bae2e8b90a5d6e8fc5490c4cc71c72d9114876fa9586a2bf2f1e140f73afc

SHA512
42246dfd3a99f6ed93f034b5d9cb85cdda8e579cacf515d19b64323200375fc833d0337df2d459611d6e3a8a43fdb69cba3245c05281997b24c3f1fb860e4abc

Download Submit
C:\Windows\{4AC6D584-4EC1-4901-82BF-12966FB07236}.exe

Filesize
197KB

MD5
656dff9a0aeb07661724a0ed15b6a912

SHA1
4eac5688890da045f399a5c61102728198d234cd

SHA256
b8b5f6f1657c9077c49a9d5c2174bbd3aeecb5bf645d9bc0fdfdd69f2500ec2e

SHA512
6f8ce0b3e55c094ba98060bfce159cfebfacc205a178fbe5b61eeec3751ad51e3fcf77132a514fae11a7b5eca499bb8a7959b666e7039aab22a72ba4360f57fc

Download Submit
C:\Windows\{7DA9F6CE-65F3-4832-9216-9894D0C275BC}.exe

Filesize
197KB

MD5
9b8ef2297241428d1a156e5f12b628b3

SHA1
edd48c273f183652be4007c1716a2236dd94cd64

SHA256
43bece9ae0f9128e6a0c9c8927c9514793dd2f921930678b7e90e1bec0f9ee33

SHA512
d15e010b1898e70ab1df4c565bc0c5ac3f5653e2cbb7c513828fe195f2a0b98c24895b638818b827440536269c04f367c0e7ba2875aa11cb48daa30e1fa6b631

Download Submit
C:\Windows\{972AEDEA-3223-4c49-A6E8-D1D7E7988648}.exe

Filesize
197KB

MD5
3316da908bba938f51e0c858d66ff3ed

SHA1
529e209c2cb44cc871163157f468af97d579f511

SHA256
8d90c742a6591a0ea2dde2518e58cf418bc2ebf9dea7c2444fe0d421c812397c

SHA512
f540db3842adbbc2fc7c6090492dcd0b50cb0c604fdeeb7b850e53fe8d09bb91c43e7f28a05a2c025cc164acffc5ef45db105c041f3872ef0fb1bfc07b7574a3

Download Submit
C:\Windows\{A1DBD5B7-FE9B-4676-8D0E-7E94857A2EFB}.exe

Filesize
197KB

MD5
74bb9ee66543613bf5b0259c3b112acd

SHA1
d6ab3d3f0ca707b3b4a11effae74e77aa559b060

SHA256
ca085ddf4ceb0f3204b8992b710a6819d9e56822f69a9cdca93dd85c0f2a0c7e

SHA512
bad787101ea958687513c1369bb0a518789ada5ded643697d2b7b1fdfed7af6637ab857fc4ffce641d046f50ef74369c992a836d90134c921aa69a2db5ec6757

Download Submit
C:\Windows\{A9748195-9570-40fa-948E-0C094533AAF1}.exe

Filesize
197KB

MD5
50669b5bca174344ac0b770848ec8ee0

SHA1
1c95aed621e051647aa8db0d4fe7470fb4214ad0

SHA256
57badce67a7085da44e219a6afec433a088a46ad7335187d59f0e7535e71b5f3

SHA512
f75059898569db058ce0c8b18d4a56d8d9b1fe17b1ec773d54c10caf897bbf9f0a6bc158e99336c3abe6b5bbf3f4653063c169b1a3b766f7c78e4a78ecdbcf95

Download Submit
C:\Windows\{C38A6A6D-5B25-4783-89CE-6D0E40046BDF}.exe

Filesize
197KB

MD5
169a2e1283e971903e3603e487432e26

SHA1
f13219476c306fcbe18e35870daa14369dad1185

SHA256
c288ff4961e71e40ba6028f712b0f86529c3a4d83f2ba8acea15534de8224355

SHA512
d44e0e3dd921b825114b523b025b4c8ebd3ba5cea99ce8d1424751073474ed16b2ac2266fbdd85f9eac980f5e8da2c65e36b466e388452492db2395ea5e08eeb

Download Submit
C:\Windows\{E55B9043-921C-4305-842C-AF29B6C9F826}.exe

Filesize
197KB

MD5
7e687ed4c9e958eef2f2c77266cd255e

SHA1
ad4fb3af02e168d365d1e57fe79269a12bfe1b7b

SHA256
f7cffaa36fb7dd8ceb883ea2f37ad565e2fdd6c8405a682b4737114dd27e9736

SHA512
bcbf50ce61a457cc52fcce540a059020cbae3837b79662dd9c58dd7d245b654579c0930b7d9e6df7228c93212dfd5dea57022b1cfcc0f482004f0c6caeca60c3

Download Submit
C:\Windows\{F4AF5188-52FB-4457-8D8C-67DFE06F9764}.exe

Filesize
197KB

MD5
300ce87a2772bf8f34f69ee32eecc09e

SHA1
fdd899da5c846a129803c56473fffa597177d4a2

SHA256
67d9544026a282fe8703584fccdc08836131bdc6b586dfdd0fa74b9b286ef72c

SHA512
4bba0874673aa0799eecd3df964da8ecef6400ee2e2dcb960794926e68dbc7439225270db9364943d0dad5c356415c0aa343b52e76699075511b4a46d5ed2864

Download Submit
C:\Windows\{FF7C5490-9BF1-4735-B683-9CEA2470877C}.exe

Filesize
197KB

MD5
f0ed8c5b7b3a1d2b70fdfd32bd912385

SHA1
7b12b060311d47713abd0295f520a6eb10f55cfc

SHA256
859ae83a0781645ac190a8821135d99a931d542d718d4cfb12abd7b3d850fda4

SHA512
405674027f0097d5c6d52d312f12ed5b3b7e14a1eb7e2d3800cd0e805546a4064ff02c44e8588bda6892c7c686af6db2e2b3be71d704f4bb2cd94d64dc712c23

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads